b'      Department of Homeland Security\n\n\n\n     Information Technology Management Letter for the\n    Federal Emergency Management Agency Component\n       of the FY 2012 Department of Homeland Security\n                  Financial Statement Audit\n\n\n\n\nOIG-13-64                                      April 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n\n                                     April 4, 2013\n\nMEMORANDUM FOR:             Ken Murphy\n                            Acting Chief Information Officer\n                            Federal Emergency Management Agency\n\n                            Edward Johnson\n                            Chief Financial Officer\n                            Federal Emergency Management Agency\n\nFROM:                        Frank Deffer\n                             Assistant Inspector General\n                             Office of Information Technology Audits\n\nSUBJECT:                     InformationfTechnologyfManagementfLetterfforfthef\n                             FederalfEmergencyfManagementfAgencyfComponentfoff\n                             thefFYf2012fDepartmentfoffHomelandfSecurityfFinancialf\n                             StatementfAuditf\n\nAttached for your action is our final report, InformationfTechnologyfManagementfLetterf\nforfthefFederalfEmergencyfManagementfAgencyfComponentfoffthefFYf2012fDepartmentf\noffHomelandfSecurityfFinancialfStatementfAudit.ffThe independent accounting firm\nKPMG LLP (KPMG) performed the audit of Department of Homeland Security (DHS)\nfinancial statements as of September 30, 2012, and prepared this information\ntechnology (IT) management letter.ff\n\nKPMG is responsible for the attached IT management letter dated December 20, 2012,\nand the conclusion expressed in it. We do not express an opinion on DHS\xe2\x80\x99 financial\nstatements or internal controls or conclusions on compliance with laws and regulations.\nThe DHS management concurred with all recommendations.\n\nConsistent with our responsibility under the InspectorfGeneralfAct, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Sharon Huiswoud, Director,\nInformation Systems Audit Division, at (202) 254-5451.\n\x0c                                 KPMG LLP\n                                 Suite 12000\n                                 1801 K Street, NW\n                                 Washington, DC 20006\n\n\n\n\nApril 2, 2013\n\nInspector General\nU.S. Department of Homeland Security\n\nActing Chief Information Officer and\nChief Financial Officer\nU.S. Federal Emergency Management Agency\n\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2012, and the related statements of net cost, changes in net\nposition, and custodial activity, and combined statement of budgetary resources for the year\nthen ended (referred to as the \xe2\x80\x9cfiscal year (FY) 2012 financial statements\xe2\x80\x9d). We were also\nengaged to audit the Department\xe2\x80\x99s internal control over financial reporting of the FY 2012\nfinancial statements. The objective of our audit engagement was to express an opinion on the\nfair presentation of the FY 2012 financial statements and the effectiveness of internal control\nover financial reporting of the FY 2012 financial statements.\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2012, included internal control deficiencies identified during our audit\nengagement that, in aggregate, represented a material weakness in information technology (IT)\ncontrols and financial system functionality at the DHS Department-wide level. This letter\nrepresents the separate limited distribution report mentioned in that report, of matters related to\nthe Federal Emergency Management Agency (FEMA).\nDuring our audit engagement, we noted certain matters in the areas of access controls,\nconfiguration management, security management, contingency planning, and segregation of\nduties with respect to FEMA\xe2\x80\x99s financial systems general IT controls (GITC) which we believe\ncontribute to a DHS Department-wide material weakness in IT controls and financial system\nfunctionality. These matters are described in the General IT Control Findings and\nRecommendations section of this letter.\nThe comments described herein have been discussed with the appropriate members of\nmanagement, or communicated through a Notice of Finding and Recommendation (NFR), and\nare intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit to engagement make comments and suggestions that we hope will be useful to\nyou. We have not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key FEMA financial systems within the scope of the FY 2012 DHS financial\nstatement audit engagement in Appendix A; a description of each internal control finding in\nAppendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls (comments not related to IT)\nhave been presented in a separate letter to the Office of Inspector General (OIG) and the DHS\nChief Financial Officer.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThis report is intended solely for the information and use of DHS management, DHS OIG, U.S.\nOffice of Management and Budget, U.S. Government Accountability Office (GAO), and the\nU.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\nVery truly yours,\n\x0c                               Department of Homeland Security\n\n                           Federal Emergency Management Agency\n\n                           Information Technology Management Letter\n                                      September 30, 2012\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                       TABLE OF CONTENTS\n\n                                                                                           Page\n\nObjective, Scope, and Approach                                                              1\n\nSummary of Findings and Recommendations                                                     2\n\nGeneral IT Control Findings and Recommendations                                             4\n\n   Findings                                                                                 4\n\n       Configuration Management                                                             4\n\n       Security Management                                                                  5\n\n             After \xe2\x80\x93 Hours Physical Security Testing                                        5\n\n       Access Controls                                                                      6\n\n       Segregation of Duties                                                                7\n\n      Contingency Planning                                                                  7\n\n   Recommendations                                                                          7\n\n       Configuration Management                                                             7\n\n       Security Management                                                                  8\n\n       Access Controls                                                                      8\n\n       Contingency Planning                                                                 9\n\nApplication Controls                                                                       11\n\n\n                                           APPENDICES\n\nAppendix                                        Subject                                    Page\n\n           Description of Key FEMA Financial Systems and IT Infrastructure within the\n   A                                                                                       12\n\n           Scope of the FY 2012 DHS Financial Statement Audit Engagement\n\n   B       FY 2012 Notices of IT Findings and Recommendations at FEMA                      16\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison \n\n   C                                                                                       21\n\n           to Current Year Notices of Findings and Recommendations at FEMA\n\n\n\n\n             Information Technology Management Letter for the FEMA Component\n                        of the FY 2012 DHS Financial Statement Audit\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit the financial statements of DHS as of and for the year ended\nSeptember 30, 2012, we performed an evaluation of the general Information Technology (IT) controls\n(GITCs) at FEMA to assist in planning and performing our audit engagement. The Federal Information\nSystem Controls Audit Manual (FISCAM), issued by the U.S. GAO, formed the basis of our GITC\nevaluation procedures. The scope of the GITC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of GITCs and the IT environment:\n\n   Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n   Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n   Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provide reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n   Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\n   Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit procedures, we also performed technical security testing for key network\nand system devices and testing over certain key financial application controls in the FEMA environment.\nThe technical security testing was performed from within select FEMA and contractor facilities and\nfocused on production devices that directly support FEMA\xe2\x80\x99s financial processing and key general support\nsystems. Limited after-hours physical security testing was also included in the scope of technical security\ntesting.\n\nIn addition to testing FEMA\xe2\x80\x99s GITC environment, we performed application control tests on a limited\nnumber of FEMA\xe2\x80\x99s financial systems and applications, specifically those supporting the National Flood\nInsurance Program (NFIP). The application control testing was performed to assess the financial\nsystems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and transactions.\n\n\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 1\n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2012, FEMA took corrective action to address certain prior year IT control weaknesses. For\nexample, FEMA made improvements over designing and implementing certain physical and logical\naccess controls over FEMA and NFIP information systems, as well as strengthening and improving\ncontrols around patch management and vulnerability management. However, during FY 2012, we\ncontinued to identify GITC and entity-level control weaknesses that could potentially impact FEMA\xe2\x80\x99s\nfinancial data.\n\nFEMA Office of the Chief Financial Officer (OCFO) and Office of the Chief Information Officer (OCIO)\nmanagement informed us that the management conducted a quantitative and qualitative analysis of the\ncomposite functions, capabilities, applications, and subsystems previously included within the\naccreditation boundary of the General Support System (GSS) previously accredited as the National\nEmergency Management Information System (NEMIS). As a result of that analysis and our planning\nconsiderations, Non-Disaster Grants (ND Grants), Emergency Support (ES), and the Emergency\nManagement Mission Integrated Environment (EMMIE) were identified as financially significant\ninformation systems subject to controls test work during the FY 2012 audit. Consequently, findings\nissued in FY 2011 which related to the previous NEMIS accreditation boundary were determined to be no\nlonger applicable to FEMA\xe2\x80\x99s control environment and were closed. Test work was performed specific to\nthese three systems to determine the status of corrective actions implemented to address the prior year\nNEMIS-related conditions.\n\nThe most significant weaknesses from a financial statement audit perspective related to controls over\nsecurity management, access control, configuration management , and contingency planning for the\nIntegrated Financial Management Information System (IFMIS)-Merger, Payment and Reporting System\n(PARS), ND Grants, ES, EMMIE, Traverse, Transaction Record Reporting and Processing (TRRP), and\nassociated General Support System (GSS) environments including the FEMA Enterprise Network (FEN),\nas well as weaknesses over physical security and security awareness.\n\nCollectively, the IT control weaknesses limited FEMA\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these weaknesses negatively impacted the internal controls over FEMA financial reporting and\nits operation, and we consider them to collectively contribute to a material weakness at the DHS level\nunder standards established by the American Institute of Certified Public Accountants. In addition, based\nupon the results of our test work, we noted that FEMA did not fully comply with the requirements of the\nFederal Financial Management Improvement Act of 1996.\n\nOf the 61 findings identified during our FY 2012 testing, 16 were repeat findings, either partially or in\nwhole from the prior year, and 45 were new IT findings. While 32 of 48 prior year findings were closed\nin FY 2012, as noted above, 11 were closed solely because of the decoupling of the previous NEMIS\naccreditation boundary into its constituent financial systems. Through our test work we noted that\nweaknesses existed in the 3 financially significant decoupled systems in the control areas related to these\nprior year findings, and as a result, 29 new findings were issued. Further, 9 prior year NFRs closed were\nbased on improvements noted in the design and implementation of certain controls, which enabled us to\ntest the operating effectiveness of the control. However, this additional test work highlighted\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 2\n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\ninconsistencies in control implementation, resulting in 9 new findings being issued. The 61 findings\nissued represent weaknesses in each of the five FISCAM key control areas.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem from:\n\n    1.\t Inadequately designed and ineffective access control policies and procedures relating to the\n        management of logical access to financial applications, databases, and support systems, and\n        periodic supervisor recertification of user access privileges;\n    2.\t Insufficient logging of system events and monitoring of audit logs;\n    3.\t Inadequately designed and ineffective configuration management policies and procedures;\n    4.\t Patch, configuration, and vulnerability management control deficiencies within systems;\n    5.\t Improper or incomplete security authorization activities and supporting artifacts and \n\n        documentation; and\n\n    6.\t Inadequately documented or tested contingency plans and the lack of alternate processing\n        capabilities.\n\nThese weaknesses may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and FEMA financial data could be exploited, thereby compromising the integrity of FEMA\nfinancial data used by management and reported in the DHS financial statements.\n\nWhile the recommendations made by us should be considered by FEMA, it is the ultimate responsibility\nof FEMA management to determine the most appropriate method(s) for addressing the weaknesses\nidentified.\n\n\n\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 3\n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n            GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\n\nDuring our engagement to audit the FY 2012 DHS financial statements, we identified the following\nFEMA GITC control deficiencies that in the aggregate contribute to the IT material weakness at the\nDepartment level.\n\nConfiguration Management\n\n    Password, security patch management, and configuration deficiencies were identified during the\n    vulnerability assessment on hosts supporting IFMIS-Merger, NDGrants, EMMIE, Traverse, and the\n    NFIP Local Area Network (LAN), and financially significant segments of the FEN and end-user\n    computing environment.\n    Formal procedures for conducting internal scans of servers supporting FEMA systems did not define\n    requirements or procedures to ensure that system owners document reviews of scan results.\n    Additionally, internal scans over ES system components were not consistently performed.\n    A formalized configuration management plan (CMP) for ES was not documented to ensure that\n    changes were adequately and centrally controlled, documented, or managed throughout the lifecycle\n    of the FEMA configuration management process, and the CMPs for EMMIE and NDGrants did not\n    fully document all control activities necessary to support the review and approval of changes to those\n    systems.\n    The use of shared accounts for deploying changes to the NDGrants and EMMIE production\n    environments was not properly authorized, controlled or monitored, and controls to validate the\n    integrity and completeness of changes to those systems were not designed or implemented properly.\n    Configuration management policies and procedures did not include comprehensive requirements for\n    the frequency, documentation, and performance of monitoring audits for configuration baselines for\n    all relevant network devices such as firewalls, routers, and switches that support IFMIS-Merger to\n    ensure that configuration items within the scope of the system accreditation boundary are documented\n    and monitored in accordance with FEMA policy. Additionally, configuration changes which were\n    implemented over these devices were not consistently or adequately documented or authorized.\n    Formal procedures to require monitoring of changes deployed to IFMIS-Merger program libraries to\n    review and validate implemented changes did not accurately reflect existing technical controls and\n    processes related to configuration management activities within the production environment.\n    Furthermore, reviews of developer activities were not consistently conducted for changes\n    implemented during FY 2012.\n    Formal procedures for conducting internal scans of the NFIP LAN supporting Traverse did not\n    include requirements for tracking and monitoring all types of vulnerabilities via the Plan of Actions &\n    Milestones (POA&M) process.\n    A testing environment did not exist to validate changes to Traverse software prior to deployment to\n    production.\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 4\n\n\x0c                                  Department of Homeland Security\n\n                              Federal Emergency Management Agency\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n    TRRP and IFMIS-Merger changes were not consistently tested or approved prior to development and\n    implementation into production.\n\nSecurity Management\n\n    Policies and procedures requiring the completion and tracking of specialized training for FEMA\n    employees and contractors identified as possessing significant information security responsibilities\n    and identification of applicable personnel subject to specialized training requirements had not been\n    fully implemented as required by DHS policy.\n    Security authorization activities and supporting documentation and artifacts for IFMIS-Merger, FEN,\n    EMMIE, NDGrants, and ES \xe2\x80\x93 including Authorization to Operate (ATO) memoranda, risk\n    assessments, privacy threshold analyses, security plans, IT contingency plans (CP) and associated\n    plan test results, security control assessments, Security Assessment Reports (SAR) and corresponding\n    POA&Ms \xe2\x80\x93 were not completed in accordance with DHS and NIST requirements.\n    IT security management responsibilities were not consistently or adequately assigned and performed\n    over the FEMA POA&M process for FY 2011 IT audit findings, in accordance with DHS guidance.\n    Background investigations for FEMA Federal employees and contractors accessing DHS IT systems\n    were not appropriately conducted, and results were not properly documented or tracked.\n\nAfter-Hours Physical Security Testing:\n\nOn May 29 and June 6, 2012, we performed after-hours physical security testing to identify risks related\nto non-technical aspects of IT security. These non-technical IT security aspects included physical access\nto media and equipment that housed financial data and information residing within a FEMA employee\xe2\x80\x99s\nor contractor\xe2\x80\x99s work area which could be used by others to gain unauthorized access to systems housing\nfinancial information. The testing was performed at various FEMA locations that process and/or maintain\nfinancial data. The specific results are listed in the following table:\n\n                                                        FEMA Locations Tested\n                                              Washington                        FEMA             Total\n                                               Design           Patriots        Finance        Exceptions\n               Exceptions Noted                Center            Plaza          Center          by Type\nPasswords                                          19              18               2              39\nFor Official Use Only (FOUO)                        3               3               0               6\nKeys                                                0               0               0               0\nPersonally Identifiable Information (PII)          10               0               3              13\nUnlocked Laptops                                    5               1              13              19\nServer Names/ IP Addresses                          1               0               0               1\nCredit Cards                                        0               0               0               0\nClassified Documents                                0               0               0               0\nUnsecured External Media                            0               0               1               1\n                  Information Technology Management Letter for the FEMA Component\n\n               of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                               Page 5\n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n                                                         FEMA Locations Tested\n                                               Washington                         FEMA            Total\n                                                Design           Patriots         Finance       Exceptions\n            Exceptions Noted                    Center            Plaza           Center         by Type\nUnlocked Interior Office                             1               0               0                1\nTotal by Location                                   39              22               19              80\n\nAccess Controls\n\n    Traverse application accounts were not periodically recertified at an appropriate level of detail to\n    determine the continued appropriateness of user access and associated privileges and system\n    functionality.\n    FEN accounts were not disabled or removed promptly upon personnel termination.\n    Initial and modified access granted to IFMIS-Merger application users was not properly or timely\n    documented and authorized.\n    Documented procedures for auditing IFMIS-Merger, NDGrants, ES, EMMIE, and PARS databases,\n    the Traverse application, and the NFIP LAN were not comprehensive and did not meet DHS\n    requirements. Additionally, for NDGrants, ES, EMMIE, Traverse, and the NDIP LAN, logging of\n    operating system, application, and/or database events required to be recorded was not enabled for\n    some or all of the events; audit logs were not appropriately reviewed and/or were reviewed by those\n    with conflicting roles; and evidence of audit log reviews was not retained.\n    Documented procedures for managing access to the NDGrants, ES, and EMMIE applications and\n    databases, including sensitive access to system components managed by the FEMA IT Operations\n    Branch System, Database and Application Management (SDAM) team, were incomplete or did not\n    adequately consider requirements for system owner review and approval of access privileges for users\n    and individuals with elevated privileges within the systems.\n    Generic accounts and remote access to the FEN and elevated privileges to FEMA and NFIP financial\n    systems were not authorized by the appropriate FEMA management official as required by DHS\n    policy.\n    Strong password requirements were not enforced on the NDGrants, ES, and EMMIE databases, and\n    documentation supporting exceptions to DHS password requirements was incomplete.\n    Interconnections between the FEN and one external system were not properly authorized or\n    documented for a majority of the fiscal year.\n    Documentation describing the implementation of IFMIS-Merger system user functions was\n    incomplete or inaccurate.\n    Emergency and temporary access to the IFMIS-Merger production environment was not consistently\n    authorized.\n    Certain FEMA personnel with financial reporting, management, and oversight roles were granted\n    IFMIS-Merger application access that was excessive and/or not consistent with the principles of least\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 6\n\n\x0c                                Department of Homeland Security\n\n                            Federal Emergency Management Agency\n\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n    privilege and separation of duties, and existing system documentation did not adequately define the\n    implementation of certain access groups and associated privileges granted to these personnel.\n\nSegregation of Duties \xe2\x80\x93 We identified segregation of duties weaknesses associated with other FISCAM\nareas. Specifically, weaknesses in those areas pertain to access controls over audit log reviews and\nconfiguration management controls for migrating code into production. See those respective sections for\nadditional information.\n\nContingency Planning\n\n    Alternate processing sites for NDGrants, ES, and EMMIE were not established and implemented.\n    Business Impact Assessments (BIAs) were not performed prior to development of the NDGrants, ES,\n    and EMMIE CPs; FEMA management review and approval of the ES and IFMIS-Merger CPs were\n    not performed or documented within frequencies required by DHS policy; and the EMMIE and\n    IFMIS-Merger CPs were not updated as a result of plan testing.\n\nRecommendations:\n\nWe recommend that the FEMA Chief Information Officer (CIO) and Chief Financial Officer (CFO), in\ncoordination with the DHS OCFO and the DHS OCIO, make the following improvements to FEMA\xe2\x80\x99s\nfinancial management systems and associated IT security program.\n\nFor Configuration Management\n\n    Implement the specific vendor-recommended corrective actions detailed in the NFRs that were issued\n    for deficiencies identified during our vulnerability assessments.\n    Develop or revise and ensure that formal procedures are understood and consistently implemented by\n    system owners for documenting reviews of internal vulnerability scan results, and develop and\n    implement controls for monitoring compliance with vulnerability management policies and\n    procedures.\n    Develop or revise and implement formal configuration management plans for ES, EMMIE, and\n    NDGrants to control changes to financial systems application software, and ensure consistent\n    adherence with requirements for approving, testing, documenting, properly controlling and tracking\n    changes, and retaining related documentation.\n    Revise formalized processes and procedures for deploying NDGrants and EMMIE changes to the\n    production environment to ensure that the use of shared accounts for movement of production code\n    into each production environment is appropriately authorized, controlled, and monitored.\n    Develop and implement appropriate formal technical and management controls to systematically\n    track and review modifications to the NDGrants and EMMIE production environments to ensure the\n    completeness and integrity of change reports and logs.\n    Revise and implement configuration management policies and procedures over managing\n    configuration changes for FEN network devices supporting financial applications, including IFMIS-\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 7\n\n\x0c                                Department of Homeland Security\n\n                            Federal Emergency Management Agency\n\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n   Merger, to ensure that changes are consistently documented and authorized by FEMA management\n   consistent with DHS policy and the FEN configuration management plan.\n   Revise formal procedures for controlling changes deployed to IFMIS-Merger program libraries to\n   reflect the current production environment, and implement controls for consistently verifying that\n   only authorized changes are implemented into production and for retaining evidence of reviews\n   conducted on file.\n   Revise and implement comprehensive vulnerability management policies and procedures to ensure\n   that all potential vulnerabilities identified during internal scans of the NFIP LAN supporting Traverse\n   are documented and tracked via the POA&M process.\n   Complete on-going efforts to establish and implement a separate test environment to support\n   validation of changes to Traverse software prior to deployment to production.\n   Ensure the consistent implementation of configuration management procedures and development of\n   supporting documentation for all changes to IFMIS-Merger and TRRP.\n\nFor Security Management\n\n   Implement policies and procedures requiring initial and periodic specialized training for individuals\n   with significant information security responsibilities to ensure that all individuals possessing specific\n   roles and positions associated with significant information security responsibilities are identified and\n   compliance with training requirements is tracked.\n   Document or update all required security authorization artifacts for IFMIS-Merger, FEN, EMMIE,\n   NDGrants, and ES in accordance with DHS policy and NIST guidance, and revise and fully\n   implement appropriate monitoring controls to ensure continued compliance with applicable criteria\n   related to security authorization activities and supporting documentation.\n   Revise and implement formalized processes to ensure that POA&Ms related to audit findings for\n   financial systems are developed and maintained in accordance with DHS guidance.\n   Further refine processes to ensure that background investigations for all types of Federal employees\n   and contractors are consistently performed and centrally tracked in accordance with DHS policy.\n   Review the effectiveness of existing security awareness programs designed to protect \xe2\x80\x9cneed-to-know\xe2\x80\x9d\n   information, including IT system access credentials, electronic and physical data, PII, and FOUO\n   agency information, including FEMA\xe2\x80\x99s planned Operational Security (\xe2\x80\x9cOPSEC\xe2\x80\x9d) framework and\n   associated policies, procedures, and monitoring controls, and ensure that individuals are adequately\n   instructed and reminded of their roles in the protection of sensitive system information from\n   unauthorized individuals through formal, periodic communications and/or security awareness\n   training.\n\nFor Access Controls\n\n   Establish and/or implement user account management recertification processes, and require\n   completion of periodic reviews of all user accounts for appropriate access and documentation of\n   current user profiles for the Traverse application.\n\n              Information Technology Management Letter for the FEMA Component\n\n           of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 8\n\n\x0c                                Department of Homeland Security\n\n                            Federal Emergency Management Agency\n\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n   Update, as necessary, and implement procedures and processes to ensure that all FEN accounts of\n   terminated employees and contractors are immediately removed/disabled upon their departure.\n   Review and revise existing procedures to require documented authorization of new and modified\n   IFMIS-Merger, EMMIE, NDGrants, and ES database and application user accounts by system\n   owners, supervisors, program managers, and contracting officers\xe2\x80\x99 technical representatives in\n   accordance with DHS requirements.\n   Revise and implement detailed procedures requiring the consistent and timely review of IFMIS-\n   Merger, NDGrants, ES, EMMIE, PARS, NFIP LAN, and Traverse database, application, and\n   operating system logs and the maintenance of documentation supporting such reviews in accordance\n   with DHS requirements.\n   Configure audit logs for NFIP LAN, Traverse, EMMIE, NDGrants, and ES databases and\n   applications to ensure that auditable events, as required by DHS policy, are recorded, retained, and\n   appropriately reviewed by independent security management personnel, and sufficient evidence is\n   retained.\n   Revise and implement policies and procedures for documenting, reviewing, and approving generic\n   accounts and remote access to the FEN and elevated privileges to FEMA and NFIP financial systems,\n   by appropriate FEMA management officials as required by DHS policy.\n   Configure NDGrants, ES, and EMMIE databases to enforce strong password and authenticator\n   control requirements for all user accounts and, if necessary and justified by operational and business\n   requirements, ensure that documented requests for exceptions from DHS password requirements\n   identify all affected accounts subject to deviations from standard controls.\n   Revise and implement policies and procedures for documenting, reviewing, and approving external\n   connections to the FEMA network, including documentation of roles, responsibilities, and security\n   requirements within Interconnection Security Agreements (ISAs) or equivalent agreements.\n   Revise and implement policies and procedures for documenting IFMIS-Merger security functions to\n   ensure that system documentation accurately and completely reflects existing functionality and\n   privileges assigned to application users.\n   Implement and monitor compliance with a formal process for granting and documenting authorization\n   of emergency and temporary access to the IFMIS-Merger production environment.\n   Revise and implement controls to manage the assignment of groups and corresponding roles and\n   functionality within the IFMIS application, including relative to individuals in financial reporting,\n   management, or oversight roles within FEMA, by identifying conflicting roles, revising system\n   documentation as appropriate, and modifying existing assignments to address violations of\n   segregation of duties and least privilege principles.\n\nFor Contingency Planning\n\n   Complete on-going efforts to establish and implement alternate processing sites for NDGrants, ES,\n   and EMMIE.\n\n\n              Information Technology Management Letter for the FEMA Component\n\n           of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 9\n\n\x0c                           Department of Homeland Security\n                       Federal Emergency Management Agency\n                       Information Technology Management Letter\n                                  September 30, 2012\n\nConduct and document the results of BIAs for NDGrants, ES, and EMMIE, and update corresponding\nCPs as appropriate based on the results of assessments.\nUpdate EMMIE and IFMIS-Merger CPs as appropriate based on results and lessons learned from\ntesting, and submit ES and IFMIS-Merger CPs to appropriate FEMA management officials for review\nand approval at least annually.\n\n\n\n\n          Information Technology Management Letter for the FEMA Component\n\n       of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                       Page 10\n\n\x0c                                Department of Homeland Security\n\n                            Federal Emergency Management Agency\n\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n                                  APPLICATION CONTROLS\n\nWe concluded that application controls over NDGrants, ES, EMMIE, IFMIS-Merger, and PARS could\nnot be relied upon for purposes of our FY 2012 audit engagement procedures because of the nature of the\nGITC deficiencies identified and discussed above. As a result, we did not test application controls for\nthese financial systems. However, we conducted certain application control testing over key financial\nsystems supporting NFIP. Based on the testwork conducted, we did not identify any findings in the area\nof application controls related to NFIP financial systems during the FY 2012 FEMA audit engagement.\n\n\n\n\n              Information Technology Management Letter for the FEMA Component\n\n           of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 11\n\n\x0c                                                                            Appendix A\n                        Department of Homeland Security\n\n                    Federal Emergency Management Agency\n\n                    Information Technology Management Letter\n                               September 30, 2012\n\n\n\n\n                                 Appendix A\n\nDescription of Key FEMA Financial Systems and IT Infrastructure \n\n within the Scope of the FY 2012 DHS Financial Statement Audit\n\n\n\n\n\n         Information Technology Management Letter for the FEMA Component\n\n      of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                      Page 12\n\n\x0c                                                                                             Appendix A\n                                 Department of Homeland Security\n                             Federal Emergency Management Agency\n                             Information Technology Management Letter\n                                        September 30, 2012\n\nBelow is a description of significant FEMA financial management systems and supporting IT\ninfrastructure included in the scope of FEMA\xe2\x80\x99s FY 2012 financial statement audit.\n\nIntegrated Financial Management Information System \xe2\x80\x93 Merger (IFMIS-Merger)\n\nIFMIS-Merger is the official accounting system of FEMA and maintains all financial data for internal and\nexternal reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost Posting,\nDisbursements, Accounts Receivable, and General Ledger. The application is a commercial off-the-shelf\nsoftware package developed and maintained by Digital Systems Group Incorporated. IFMIS-Merger\ninterfaces with PARS, ProTrac, Smartlink (Department of Health and Human Services [HHS]), Treasury\nInformation Executive Repository (Department of the Treasury), Secure Payment System (Department of\nthe Treasury), Grants Management System (Department of Justice), United States Coast Guard Credit\nCard System, Credit Card Transaction Management System (CCTMS), Fire Grants, eGrants, Enterprise\nData Warehouse and Payroll (Department of Agriculture National Finance Center). The IFMIS-Merger\nproduction environment is located in Virginia.\n\nPayment and Reporting System (PARS)\n\nPARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger UNIX\nserver and is incorporated within the Certification & Accreditation (C&A) boundary for that system.\nThrough its web interface, PARS collects Standard Form 425 information from grantees and stores the\ninformation in its Oracle 9i database. Automated scheduled jobs are run daily to update and interface\ngrant and obligation information between PARS and IFMIS-Merger. All payments to grantees are made\nthrough IFMIS-Merger. PARS is located in Virginia.\n\nNon-Disaster Grant Management System (NDGrants)\nNDGrants is a web-based system that supports the grants management lifecycle and is used by external\nstakeholders and grantees, via a public Web site, to apply for grants and monitor the progress of grant\napplications, submit payments, and view related reports, and by the FEMA Program Support Division, via\nan internal Web site, for reviewing, approving, and processing grant awards. NDGrants interfaces with\ntwo other systems: FEMA\xe2\x80\x99s internal Integrated Security and Access Control System (ISAAC), used for\nuser credentialing and role-based access, and the HHS Grants.gov system, used for publishing grant\nsolicitations and downloading applications. NDGrants is located in Virginia.\nEmergency Support (ES)\nES is an internal FEMA application for pre-processing disaster-related financial transactions, including\nallocation, commitment, obligation, mission assignment and payment requests from other internal and\nexternal systems. ES serves as the primary interface to IFMIS. It also allows FEMA users to process\ndisaster housing payments, perform payment recoupment, and conduct other administrative tasks.\nIn addition to IFMIS, ES has interfaces to several other FEMA systems, including:\n        ISAAC (organizational and personnel data and team setup);\n        Emergency Coordination (incident and disaster declarations);\n\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 13\n\n\x0c                                                                                             Appendix A\n                                 Department of Homeland Security\n                             Federal Emergency Management Agency\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n        Enterprise Coordination and Approvals Processing System (commitment and mission assignment\n        [obligation] requests);\n        Hazard Mitigation Grants Program (allocation and obligation requests);\n        Individual Assistance (payment and recoupment requests);\n        Public Assistance (PA) (obligation and allocation requests);\n        Automated Deployment Database (personnel data);\n        Assistance to Firefighters Grants (obligation, invoice and vendor requests);\n        Emergency Management Mission Integrated Environment (EMMIE) (obligation requests);\n        Mitigation Electronic Grants Management System (obligation requests); and\n        CCTMS (expenditure requests).\nNDGrants is located in Virginia.\nEmergency Management Mission Integrated Environment (EMMIE)\nEMMIE is an internal Web-based grants management solution used by FEMA program offices and user\ncommunities directly involved in the grant lifecycle associated with the PA Grant Program and the Fire\nManagement Assistance Grant Program. It is also designed to interface with other government entities\nand grant and sub-grant applicants (e.g., states and localities). EMMIE provides functionality for public\nentities and private-non-profit entities to create and submit grant applications and for FEMA users to\nreview and award applications, generate and review relevant mission critical reports, process\namendments, and conduct close-out activities.\nInterfaces exist between the EMMIE system and IFMIS. EMMIE is located in Virginia.\n\n\n\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 14\n\n\x0c                                                                                           Appendix A\n                                Department of Homeland Security\n                            Federal Emergency Management Agency\n                            Information Technology Management Letter\n                                       September 30, 2012\n\nTraverse\n\nTraverse is the general ledger application currently used by the NFIP Bureau and Statistical Agent to\ngenerate the NFIP financial statements. Traverse is a client-server application that runs on the NFIP LAN\nWindows server environment located in Maryland. The Traverse client is installed on the desktop\ncomputers of the NFIP Bureau of Financial Statistical Control group members and interfaces with a\nMicrosoft Structured Query Language database hosted on an internal segment of the NFIP LAN.\nTraverse has no known external system interfaces.\n\nTransaction Recording and Reporting Processing (TRRP)\n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO)\ncompanies and the Direct Servicing Agent (DSA) for the NFIP. TRRP also supports the WYO program,\nprimarily by ensuring the quality of financial data submitted by the WYO companies and DSA to TRRP.\nTRRP is a mainframe-based application that runs on the NFIP mainframe logical partition in Connecticut.\nTRRP has no known system interfaces.\n\n\n\n\n               Information Technology Management Letter for the FEMA Component\n\n            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 15\n\n\x0c                                                                               Appendix C\n                           Department of Homeland Security\n\n                       Federal Emergency Management Agency\n\n                       Information Technology Management Letter\n                                  September 30, 2012\n\n\n\n\n                                     Appendix B\n\n    FY 2012 Notices of IT Findings and Recommendations at FEMA\n\n.\n\n\n\n\n            Information Technology Management Letter for the FEMA Component\n\n         of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                         Page 16\n\n\x0c                                                                                                                            Appendix C\n                                                  Department of Homeland Security\n                                              Federal Emergency Management Agency\n                                              Information Technology Management Letter\n                                                         September 30, 2012\n\nFY 2012 NFR #                                     NFR Title                                  FISCAM Control Area       New      Repeat\n                                                                                                                       Issue     Issue\nFEMA-IT-12-01   Security Awareness Issues Identified during After-Hours Physical Security     Security Management                 X\n                Testing at FEMA\nFEMA-IT-12-02   All Required Auditable Events Not Included in Traverse Audit Logs               Access Controls                   X\nFEMA-IT-12-03   Inadequate Retention of NFIP LAN Audit Logs                                     Access Controls                   X\nFEMA-IT-12-04   Inadequate Documentation Supporting IFMIS-Merger User Functions                 Access Controls                   X\nFEMA-IT-12-05   Incomplete Recertification of Traverse Application User Privileges              Access Controls         X\nFEMA-IT-12-06   Weaknesses Identified during the Vulnerability Assessment on IFMIS             Access Controls and                X\n                                                                                            Configuration Management\nFEMA-IT-12-07   Weaknesses Identified during the Vulnerability Assessment on the NFIP LAN      Access Controls and      X\n                                                                                            Configuration Management\nFEMA-IT-12-08   Weaknesses Identified during the Vulnerability Assessment on Financially       Access Controls and      X\n                Significant Segments of the FEN and End-User Computing Environment          Configuration Management\nFEMA-IT-12-09   Weaknesses Identified during the Vulnerability Assessment on EMMIE             Access Controls and      X\n                                                                                            Configuration Management\nFEMA-IT-12-10   Weaknesses Identified during the Vulnerability Assessment on NDGrants          Access Controls and      X\n                                                                                            Configuration Management\nFEMA-IT-12-11   Inconsistent Authorization of New and Modified IFMIS-Merger Application         Access Controls         X\n                User Access\nFEMA-IT-12-12   Untimely Removal of FEN Access Privileges for Separated FEMA Employees          Access Controls                   X\nFEMA-IT-12-13   Incomplete Implementation of Role-Based Training for Individuals with         Security Management                 X\n                Significant Information Security Responsibilities\nFEMA-IT-12-14   Incomplete POA&Ms for Internal NFIP LAN Vulnerability Assessments           Configuration Management    X\nFEMA-IT-12-15   Weaknesses in the Management of POA&Ms for Audit Findings over FEMA           Security Management                 X\n\n                               Information Technology Management Letter for the FEMA Component\n\n                            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 17\n\n\x0c                                                                                                                           Appendix C\n                                                  Department of Homeland Security\n                                              Federal Emergency Management Agency\n                                              Information Technology Management Letter\n                                                         September 30, 2012\n\nFY 2012 NFR #                                    NFR Title                                  FISCAM Control Area       New      Repeat\n                                                                                                                      Issue     Issue\n                Financial Systems\nFEMA-IT-12-16   Inconsistent Review of Audit Logs of IFMIS-Merger System Software              Access Controls         X\n                Administrator Activity\nFEMA-IT-12-17   Lack of Adequate Configuration Management over Network Devices             Configuration Management              X\n                Supporting Financial Systems\nFEMA-IT-12-18   Non-Compliance with DHS Policy for Approval of Shared Accounts on the          Access Controls         X\n                FEN\nFEMA-IT-12-19   Non-Compliance with DHS Policy for Approval of Remote Access to the FEN        Access Controls         X\nFEMA-IT-12-20   Lack of ISA between FEMA and Department of Justice                             Access Controls         X\nFEMA-IT-12-21   Inadequate Security Authorization Documentation for the FEN                  Security Management                 X\nFEMA-IT-12-22   Lack of CMP Documentation for ES                                           Configuration Management    X\nFEMA-IT-12-23   Lack of Testing Traverse Application Changes Prior to Implementation       Configuration Management              X\nFEMA-IT-12-24   Inconsistent Documentation of TRRP Configuration Changes                   Configuration Management              X\nFEMA-IT-12-25   Inconsistent Review of PARS Database Audit Logs                                Access Controls         X\nFEMA-IT-12-26   Lack of BIA Supporting the NDGrants CP                                       Contingency Planning      X\nFEMA-IT-12-27   Lack of Alternate Processing Site and Sufficient CP Testing for NDGrants     Contingency Planning      X\nFEMA-IT-12-28   Inconsistent Implementation of DHS Background Investigation Requirements     Security Management                 X\n                for FEMA Federal Employees and Contractors\nFEMA-IT-12-29   Non-Compliance with DHS Policies for IFMIS-Merger Security Authorization     Security Management       X\n                Documentation\nFEMA-IT-12-30   Lack of Adequate IFMIS-Merger CP and Plan Test Documentation                 Contingency Planning      X\nFEMA-IT-12-31   Approval of Elevated Privileges Was Not Consistent with DHS Policy             Access Controls         X\n\n                               Information Technology Management Letter for the FEMA Component\n\n                            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 18\n\n\x0c                                                                                                                          Appendix C\n                                                 Department of Homeland Security\n                                             Federal Emergency Management Agency\n                                             Information Technology Management Letter\n                                                        September 30, 2012\n\nFY 2012 NFR #                                   NFR Title                                  FISCAM Control Area       New      Repeat\n                                                                                                                     Issue     Issue\nFEMA-IT-12-32   Lack of EMMIE System Owner Approval for Database Accounts                     Access Controls         X\nFEMA-IT-12-33   Incomplete Access Procedures for Operations Branch Database Accounts          Access Controls         X\nFEMA-IT-12-34   Lack of ES System Owner Approval for Database Accounts                        Access Controls         X\nFEMA-IT-12-35   Lack of NDGrants System Owner Approval for Database Accounts                  Access Controls         X\nFEMA-IT-12-36   Inconsistent Review of IFMIS-Merger Application and Database Audit Logs       Access Controls                   X\nFEMA-IT-12-37   Insufficient Development and Update of the EMMIE CP                         Contingency Planning      X\nFEMA-IT-12-38   Non-Compliance with Alternate Processing Site Requirements for EMMIE        Contingency Planning      X\nFEMA-IT-12-39   Insufficient Review and Approval of the ES CP                               Contingency Planning      X\nFEMA-IT-12-40   Non-Compliance with Alternate Processing Site Requirements for ES           Contingency Planning      X\nFEMA-IT-12-41   Incomplete POA&Ms for EMMIE SAR Weaknesses                                  Security Management       X\nFEMA-IT-12-42   Non-Compliant Security Authorization Package for NDGrants                   Security Management       X\nFEMA-IT-12-43   Non-Compliant Security Authorization Package for ES                         Security Management       X\nFEMA-IT-12-44   Incomplete Account Management Procedures for the EMMIE Application            Access Controls         X\nFEMA-IT-12-45   Incomplete Account Management Procedures for NDGrants                         Access Controls         X\nFEMA-IT-12-46   Incomplete Account Management Procedures for ES                               Access Controls         X\nFEMA-IT-12-47   Non-Compliance with DHS and FEMA Password Requirements for Oracle             Access Controls         X\n                Databases Supporting Financial Applications\nFEMA-IT-12-48   Incomplete Waiver Request for Password Controls on Oracle Databases           Access Controls         X\n                Supporting Financial Applications\nFEMA-IT-12-49   Inconsistent Authorization of Temporary Access to IFMIS-Merger System        Access Controls and                X\n                Software                                                                  Configuration Management\n\n                               Information Technology Management Letter for the FEMA Component\n\n                            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 19\n\n\x0c                                                                                                                        Appendix C\n                                                  Department of Homeland Security\n                                              Federal Emergency Management Agency\n                                              Information Technology Management Letter\n                                                         September 30, 2012\n\nFY 2012 NFR #                                     NFR Title                              FISCAM Control Area       New      Repeat\n                                                                                                                   Issue     Issue\nFEMA-IT-12-50   Inadequate Monitoring of Configuration Changes Deployed to the IFMIS-   Configuration Management              X\n                Merger Production Environment\nFEMA-IT-12-51   Inconsistent Activities and Incomplete Documentation Supporting         Configuration Management    X\n                Configuration Changes for the IFMIS-Merger Application\nFEMA-IT-12-52   Lack of ES Information System Security Officer Review of Monthly        Configuration Management    X\n                Vulnerability Scan Results\nFEMA-IT-12-53   Insufficient Audit Log Controls for EMMIE                                   Access Controls         X\nFEMA-IT-12-54   Insufficient Audit Log Controls for NDGrants                                Access Controls         X\nFEMA-IT-12-55   Insufficient Audit Log Controls for ES                                      Access Controls         X\nFEMA-IT-12-56   Incomplete Documentation Supporting EMMIE Configuration Management      Configuration Management    X\n                Controls\nFEMA-IT-12-57   Unauthorized Shared Account Usage for EMMIE and NDGrants Production     Configuration Management    X\n                Application Deployments\nFEMA-IT-12-58   Lack of Controls to Validate Completeness and Integrity of EMMIE and    Configuration Management    X\n                NDGrants Application Changes Deployed to Production\nFEMA-IT-12-59   Incomplete Documentation Supporting NDGrants Configuration Management   Configuration Management    X\n                Controls\nFEMA-IT-12-60   Incomplete Vulnerability Management Procedures                          Configuration Management    X\nFEMA-IT-12-61   Excessive or Inappropriate Access to IFMIS                                  Access Controls         X\n\n\n\n\n                               Information Technology Management Letter for the FEMA Component\n\n                            of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 20\n\n\x0c                                                                             Appendix C\n                         Department of Homeland Security\n\n                     Federal Emergency Management Agency\n\n                     Information Technology Management Letter\n                                September 30, 2012\n\n\n\n\n                                  Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and \n\n                   Recommendations at FEMA\n\n\n\n\n\n          Information Technology Management Letter for the FEMA Component\n\n       of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                       Page 21\n\n\x0c                                                                                                                                       Appendix C\n                                                     Department of Homeland Security\n                                                 Federal Emergency Management Agency\n                                                 Information Technology Management Letter\n                                                            September 30, 2012\n\n                                                                                                                                   Disposition\n   NFR #                                                        Description\n                                                                                                                          Closed         Repeat\nFEMA-IT-11-01   Alternate Processing Site for NEMIS Has Not Been Established                                                X\n                Weaknesses Exist in the C&A Package for the FEMA Switched Network (FSN)-2, which Includes the FEMA\nFEMA-IT-11-02                                                                                                                        FEMA-IT-12-21\n                LAN\nFEMA-IT-11-03   Weaknesses Exist over the ATO and C&A Documentation for NEMIS                                               X\n                NEMIS CP Does Not Comprehensively Address the Requirements of DHS Policy and Has Not Been\nFEMA-IT-11-04                                                                                                               X\n                Adequately Tested\n                Formalized Training Requirements for Individuals with Significant Information Security Responsibilities\nFEMA-IT-11-05                                                                                                                        FEMA-IT-12-13\n                Have Not Been Fully Implemented and Role-Based Training is Not Tracked or Monitored\nFEMA-IT-11-06   Documentation Supporting IFMIS-Merger User Functions Does Not Exist                                                  FEMA-IT-12-04\n                Oracle Databases Supporting Financial Applications within the Previous NEMIS Accreditation Boundary are\nFEMA-IT-11-07                                                                                                               X\n                Not Configured to Enforce Password Requirements\n                Oracle Databases Supporting Financial Applications within the Previous NEMIS Accreditation Boundary Do\nFEMA-IT-11-08                                                                                                               X\n                Not Adequately Enforce Account Lockout Requirements\n                Operating System Audit Logging on Servers Supporting Financial Applications within the Previous NEMIS\nFEMA-IT-11-09                                                                                                               X\n                Accreditation Boundary is Not Adequate\n                Weaknesses Existed over Contingency Planning, Testing and Development of the Continuity of Operations\nFEMA-IT-11-10                                                                                                               X\n                Plan for TRRP and Traverse\nFEMA-IT-11-11   Recertification of NEMIS Access Control System Position Assignments is Incomplete                           X\n                Audit Logging on Databases Supporting Financial Applications within the Previous NEMIS Accreditation\nFEMA-IT-11-12                                                                                                               X\n                Boundary is Not Adequate\n                Weaknesses Exist over Vulnerability Management for Servers Supporting Financial Applications within the\nFEMA-IT-11-13                                                                                                               X\n                Previous NEMIS Accreditation Boundary\nFEMA-IT-11-14   NFIP Physical Access Policies and Procedures were Not Appropriately Documented and Implemented              X\nFEMA-IT-11-15   NFIP LAN and Traverse Account Security Configuration Is Not in Compliance with DHS Policy                   X\n\n                                  Information Technology Management Letter for the FEMA Component\n\n                               of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                               Page 22\n\n\x0c                                                                                                                                       Appendix C\n                                                    Department of Homeland Security\n                                                Federal Emergency Management Agency\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                                   Disposition\n   NFR #                                                      Description\n                                                                                                                          Closed         Repeat\nFEMA-IT-11-16   TRRP Logical Access was Not Appropriately Authorized                                                        X\nFEMA-IT-11-17   Weaknesses Exist over Configuration and Operating Effectiveness of Traverse Audit Logs                               FEMA-IT-12-02\nFEMA-IT-11-18   Inadequate Monitoring of Configuration Changes Deployed to the IFMIS-Merger Production Environment                   FEMA-IT-12-50\n                Weaknesses Exist over Configuration Management Processes for Financial Applications within the Previous\nFEMA-IT-11-19                                                                                                               X\n                NEMIS Accreditation Boundary\nFEMA-IT-11-20   Weaknesses Exist over IFMIS-Merger Configuration Management Processes                                       X\nFEMA-IT-11-21   Weaknesses Exist over Recertification of Access to the IFMIS-Merger Application                             X\nFEMA-IT-11-22   Weaknesses Exist over TRRP Mainframe Audit Logs                                                             X\nFEMA-IT-11-23   Emergency and Temporary Access to IFMIS-Merger is Not Properly Authorized                                            FEMA-IT-12-49\nFEMA-IT-11-24   Weaknesses Exist over IFMIS-Merger Application and Database Audit Logging                                            FEMA-IT-12-36\nFEMA-IT-11-25   IFMIS\xe2\x80\x93Merger User Access was Not Managed in Accordance with Account Management Procedures                   X\nFEMA-IT-11-26   PARS Database Security Controls Are Not Appropriately Established                                           X\nFEMA-IT-11-27   NFIP LAN Audit Logging is Not Performed in Accordance with DHS and FEMA Requirements                                 FEMA-IT-12-03\n                Individual User Virtual Private Network (VPN) Access Accounts are Not Appropriately Authorized or\nFEMA-IT-11-28                                                                                                               X\n                Recertified\nFEMA-IT-11-29   External Connections to the FEMA VPN Are Not Appropriately Authorized or Documented                         X\nFEMA-IT-11-30   IFMIS-Merger System Software Administrator Activity Is Not Appropriately Restricted or Monitored            X\nFEMA-IT-11-31   Weaknesses Exist over C&A Documentation for IFMIS-Merger                                                    X\nFEMA-IT-11-32   Risk Assessment Activities over NFIP IT Systems were Not Adequately Performed                               X\nFEMA-IT-11-33   Weaknesses Exist over Management and Technical Controls Associated with FEMA LAN Accounts                            FEMA-IT-12-12\nFEMA-IT-11-34   Employee Termination Process for Removing System Access Should Be More Proactive                            X\n\n\n                                 Information Technology Management Letter for the FEMA Component\n\n                              of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                              Page 23\n\n\x0c                                                                                                                                  Appendix C\n                                                    Department of Homeland Security\n                                                Federal Emergency Management Agency\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                              Disposition\n   NFR #                                                       Description\n                                                                                                                     Closed         Repeat\nFEMA-IT-11-35   Traverse Configuration Management Plan Weaknesses                                                               FEMA-IT-12-23\nFEMA-IT-11-36   TRRP Configuration Management Plan Weaknesses                                                                   FEMA-IT-12-24\nFEMA-IT-11-37   Documentation Supporting TRRP Test Libraries Does Not Reflect Current Environment                      X\nFEMA-IT-11-38   Federal Insurance and Mitigation Administration CMP has Not Been Developed                             X\nFEMA-IT-11-39   Weaknesses Exist over Background Investigations for Federal Employees and Contractors                           FEMA-IT-12-28\nFEMA-IT-11-40   Weaknesses in the Management of POA&Ms for Audit Findings over FEMA Financial Systems                           FEMA-IT-12-15\nFEMA-IT-11-41   Physical Security and Security Awareness Issues Associated with Enhanced Security Testing at FEMA               FEMA-IT-12-01\nFEMA-IT-11-42   Traverse Accounts Were Not Appropriately Recertified                                                   X\nFEMA-IT-11-43   Lack of Adequate Configuration Management over Network Devices Supporting Financial Systems                     FEMA-IT-12-17\n                Password, Patch, and Configuration Management Weaknesses Were Identified during the Vulnerability\nFEMA-IT-11-44                                                                                                                   FEMA-IT-12-06\n                Assessment on IFMIS, NEMIS, and Key Support Servers\nFEMA-IT-11-45   Vulnerability Assessment Program for the NFIP LAN Supporting Traverse was Inadequate                   X\n                Weaknesses Existed over the Configuration Patch Management Process for the NFIP LAN Supporting\nFEMA-IT-11-46                                                                                                          X\n                Traverse\n                Weaknesses Exist over the Configuration and Testing of Backups for Servers Supporting Financial\nFEMA-IT-11-47                                                                                                          X\n                Applications within the Previous NEMIS Accreditation Boundary\n                Key Controls over Production Servers Supporting Applications within the Former NEMIS Accreditation\nFEMA-IT-11-48                                                                                                          X\n                Boundary Have Not Been Implemented\n\n\n\n\n                                 Information Technology Management Letter for the FEMA Component\n\n                              of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                              Page 24\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'